Tighten the content security policies for profiles.

Use template variables instead of CSS variables in Nox for better browser backwards compatibility.
Emit a local error instead of an internal error when submitting an activation token as a guest or invalid user.
Moved the inline profile scripts into profile_member.js
This commit is contained in:
Azareal 2019-03-04 16:43:07 +10:00
parent 4d1f80edab
commit 3cb5896316
5 changed files with 30 additions and 37 deletions

18
public/profile_member.js Normal file
View File

@ -0,0 +1,18 @@
function handle_profile_hashbit() {
var hash_class = "";
switch(window.location.hash.substr(1)) {
case "ban_user":
hash_class = "ban_user_hash";
break;
default:
console.log("Unknown hashbit");
return;
}
$(".hash_hide").hide();
$("." + hash_class).show();
}
$(document).ready(() => {
if(window.location.hash) handle_profile_hashbit();
window.addEventListener("hashchange", handle_profile_hashbit, false);
});

View File

@ -673,7 +673,7 @@ func AccountEditEmailTokenSubmit(w http.ResponseWriter, r *http.Request, user co
targetEmail := common.Email{UserID: user.ID}
emails, err := common.Emails.GetEmailsByUser(&user)
if err != nil {
return common.InternalError(err, w, r)
return common.LocalError("You are not logged in", w, r, user)
}
for _, email := range emails {
if email.Token == token {

View File

@ -31,7 +31,7 @@ func init() {
func ViewProfile(w http.ResponseWriter, r *http.Request, user common.User, header *common.Header) common.RouteError {
// TODO: Preload this?
header.AddSheet(header.Theme.Name + "/profile.css")
header.LooseCSP = true
header.AddScript("profile_member.js")
var err error
var replyCreatedAt time.Time

View File

@ -114,26 +114,4 @@
</div>
{{if .CurrentUser.Loggedin}}
{{/** Quick subpage switcher **/}}
{{/** TODO: Stop inlining this **/}}
<script type="text/javascript">
function handle_profile_hashbit() {
var hash_class = ""
switch(window.location.hash.substr(1)) {
case "ban_user":
hash_class = "ban_user_hash"
break
default:
console.log("Unknown hashbit")
return
}
$(".hash_hide").hide()
$("." + hash_class).show()
}
if(window.location.hash) handle_profile_hashbit()
window.addEventListener("hashchange", handle_profile_hashbit, false)
</script>
{{end}}
{{template "footer.html" . }}

View File

@ -1,9 +1,6 @@
:root {
--darkest-background: #222222;
--second-dark-background: #292929;
--third-dark-background: #333333;
}
{{$darkest_bg := "#222222"}}
{{$second_dark_bg := "#292929"}}
{{$third_dark_bg := "#333333"}}
* {
box-sizing: border-box;
}
@ -11,7 +8,7 @@ body {
margin: 0px;
padding: 0px;
color: #AAAAAA;
background-color: var(--darkest-background);
background-color: {{$darkest_bg}};
font-family: "Segoe UI";
}
a {
@ -20,7 +17,7 @@ a {
}
nav.nav {
background: var(--darkest-background);
background: {{$darkest_bg}};
width: calc(100% - 200px);
float: left;
}
@ -103,7 +100,7 @@ li a {
.right_of_nav {
float: left;
width: 200px;
background-color: var(--darkest-background);
background-color: {{$darkest_bg}};
padding-top: 12px;
padding-bottom: 12px;
padding-right: 12px;
@ -112,7 +109,7 @@ li a {
display: flex;
flex-direction: row;
border-radius: 3px;
background-color: var(--third-dark-background);
background-color: {{$third_dark_bg}};
padding-top: 11px;
padding-bottom: 11px;
padding-left: 12px;
@ -143,7 +140,7 @@ li a {
clear: both;
}
#back {
background: var(--third-dark-background);
background: {{$third_dark_bg}};
padding: 24px;
padding-top: 12px;
clear: both;
@ -1294,7 +1291,7 @@ input[type=checkbox]:checked + label .sel {
@media(min-width: 1010px) {
.container {
background-color: var(--second-dark-background);
background-color: {{$second_dark_bg}};
}
#back, .footer {
width: 1000px;